Do I need to disclose Drizzle ORM in my privacy policy?

Yes. Drizzle ORM processes application data according to your database schema, making it a material part of your data handling infrastructure. You must disclose it in your privacy policy to comply with GDPR, CCPA, and similar regulations that require transparency about data processing technologies. Include details about what data your schema collects and how Drizzle ORM facilitates storage and retrieval.

What data does Drizzle ORM collect?

Drizzle ORM itself does not collect data. Instead, it processes whatever data your application's database schema defines. If your schema includes user names, emails, IP addresses, or other personally identifiable information, Drizzle ORM will handle that data. You are responsible for auditing your schema files to identify and disclose all PII fields in your privacy policy.

Does Drizzle ORM require a cookie consent banner?

No. Drizzle ORM is a server-side ORM library and does not set, read, or use cookies. It operates entirely within your application's backend database layer. However, you may still require a cookie banner for other technologies your site uses—Drizzle ORM itself triggers no cookie obligations.

Who is the data processor for Drizzle ORM, and where is my data stored?

Drizzle ORM is self-hosted software with no third-party processor. Data is stored in your own database infrastructure—on-premises, your hosting provider, or cloud platform of your choice (AWS, Google Cloud, etc.). You remain the sole processor and controller of data. No data is transferred to Drizzle maintainers or external vendors as part of ORM operation.

Database & ORM

Privacy policy clauses for Drizzle ORM

Drizzle ORM is a lightweight TypeScript object-relational mapping library that allows developers to interact with databases using SQL-like syntax. Websites use Drizzle ORM to manage database queries and operations while maintaining type safety and reducing boilerplate code.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Drizzle ORM collects

Your privacy policy must disclose each of the following data types when you use Drizzle ORM.

Application data stored in connected database

When does Drizzle ORM trigger privacy obligations?

Drizzle ORM itself does not collect data—it is a query builder and schema mapper. However, privacy obligations trigger the moment you define a schema with PII fields and connect Drizzle to a database that stores user data.

### Data Flow That Triggers Obligations

When you use Drizzle to persist personally identifiable information (names, emails, IP addresses, payment details, phone numbers), you become a data controller under GDPR Article 4(7) and a business under CCPA Section 1798.100. The ORM itself is neutral—your schema determines what you're storing.

### Jurisdiction-Specific Thresholds

GDPR (EU/EEA users): Applies immediately if any user is located in the EU, regardless of your company's location. No data volume threshold.

CCPA (California users): Applies if you collect personal information from California residents and meet one of three thresholds: annual revenue >$25M, data on 100,000+ consumers/households, or data sales >25% of revenue (CCPA Section 1798.100).

UK GDPR: Mirrors GDPR for UK residents; separate legal basis required.

### First Concrete Step

Privacy policy clauses for Drizzle ORM

What data Drizzle ORM collects

When does Drizzle ORM trigger privacy obligations?

Common compliance pitfalls

Pitfall 1: Not Auditing Your Drizzle Schema for Hidden PII

Pitfall 2: Storing Drizzle Backups Without a Retention Policy

Pitfall 3: Migrating Data Between Drizzle Databases Without Consent Recapture

Legal note

Sample privacy policy clause

What regulators look for

Frequently asked questions

Do I need to disclose Drizzle ORM in my privacy policy?

What data does Drizzle ORM collect?

Does Drizzle ORM require a cookie consent banner?

Who is the data processor for Drizzle ORM, and where is my data stored?

Don't ship without Bandit.